User Agent
Under Construction
Overview
-
Definition
The
User-Agentrequest header in HTTP/S communication allows servers to identify various properties of the client, such as what operating system and browser they're using. -
Usecase
Threat actors often configure their malware to use common user agents in order to blend in with legitimate communications, but they sometimes make mistakes such as typos or choosing a nonsensical user agent, which can allow detection and pivoting (e.g., an infected Linux machine using a Windows user agent).
-
Example
... is a user-agent typical of ...
- Pivot Map
flowchart LR classDef secondary stroke-dasharray: 5 5 %% define nodes IP_ADDRESS(IP Address) SAMPLE(Sample) USER_AGENT(User Agent) USER_AGENT_(User Agent):::secondary %% define edges IP_ADDRESS -- uses --> USER_AGENT USER_AGENT <-- similar --> USER_AGENT_ SAMPLE -- uses --> USER_AGENT
Pivots
IP Addresses
Addresses of attacker-controlled servers using it
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.
Try it out
TO DO
TO DO
TO DO
TO DO
Addresses of infected clients using it
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.
Try it out
TO DO
TO DO
TO DO
TO DO
Samples
Samples of malware using it
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.